1. Field of the Invention
The present invention relates generally to network security and more particularly to detecting encrypted bot command and control (C&C) communication channels.
2. Background Art
Presently, malicious software (i.e., malware) can attack various devices via a network. For example, malware may include any program or file that is harmful to a computer user, such as bots, computer viruses, worms, trojan horses, spyware, or any programming that gathers information about a computer user or otherwise operates without permission. Various processes and devices have been employed to prevent the problems that malware can cause.
A bot is a software robot configured to remotely control all or a portion of a computer without authorization by the computer's user. Bot related activities include bot propagation and attacking other computers on a network. Bots commonly propagate by scanning nodes (e.g., computers) available on a network to search for a vulnerable target. When a vulnerable computer is scanned, the bot may install a copy of itself. Once installed, the new bot may continue to seek other computers on a network to infect. It is also not uncommon for a computer to be purposefully configured to seek vulnerable computers on a network and install the bots. In some cases, a bot opens up a backdoor the infected host computer allowing access and, in some cases, control of the host computer.
A bot may also, without the authority of the infected computer user, establish a command and control communication channel to receive instructions. Bots may receive command and control communication with a centralized bot server or another infected computer (e.g., via a peer-to-peer (P2P) network established by bots on the infected system).
In some embodiments, the bot receives instructions to perform bot related activities. When a plurality of bots (i.e., a botnet) act together, the infected computers (i.e., zombies) can perform organized attacks against one or more computers on a network. In one example, bot infected computers may be directed to ping another computer on a network is a denial-of-service attack. In another example, upon receiving instructions, one or more bots may direct the infected computer to transmit spam across a network.
A bot may also receive instructions to transmit information regarding the infected host computer. In one example, the bot may be instructed to act as a keylogger and record keystrokes on the infected host computer. The bot may also be instructed to search for personal information and email addresses of other users contained in email or contacts file. This information may be transmitted to one or more other infected computers or a user in command of the bot or botnet
Bots often take advantage of Internet Relay Chat (IRC) channels as command and control communications channels to receive instructions. Typically, the bot on the compromised device will open an Internet Relay Chat (IRC) channel and wait for commands from another bot, a bot server, or a person in control of the bot.
Communication (e.g., instructions) to or from bots is often encrypted. Although current antivirus programs can scan unencrypted data, the encrypted data (e.g., via Secure Sockets Layer (SSL)) typically cannot be examined to analyze the communication. As a result, bots often go undetected.